Support

Hello.

I installed AT PRO and filled up the web form of the Quick setup wizard to allow Password-protect Administrator.
When saving I have had only once the browser dialog box open asking for allowed users and password. I don't remember exactly when I mismatched my credentials but, of course, my IP was soon banished and I was treated badly :D

So… I deactivated main.php in /plugins/system/admintools/admintools/ (please note that there are two admintools folder whereas the help page doesn't mention this). When I was in the AT PRO back-end again, I clicked on the "allow my IP" (or the kind) button and the renamed main.php back to its genuine name.

Then I did never encountered the browser dialog box to first log as an authorized user.

When I read further more on this problem, I double checked if the .passwd file was actually created in /administrator folder and the answer is : yes. It contains something like :

notajoomlausernamewithonlyaz09:AkindOFencryptedPAS$$w0rdetc.

and the .htaccess file above includes:

AuthUserFile "/var/www/vhosts/mystie.com/httpdocs/administrator/.htpasswd"
AuthName "Restricted Area"
AuthType Basic
require valid-user

RewriteEngine On
RewriteRule \.htpasswd$ - [F,L]

So what's wrong ?

I have tried with another browser, the same issue: only Joomla login.
I have read again this page https://www.akeebabackup.com/documentation/troubleshooter/atwafissues.html and deleted the Security Exceptions log. Didn't help. And there is no white list.

I pushed the Purge sessions button, the same issue.

I don't know if AT PRO is secure, but one thing is sure, I'll never be able to hack anything… excepted, maybe, a banana :D

Any idea ? I did my best… (tired) :(

Thank you.

That is very strange. Disabling main.php would not have any effect on the .htaccess file within the /administrator folder. Not all servers support password protecting a folder tree. Another clue is that you got yourself locked out by Admin Tools. The folder password protection would not trigger that lockout. The password protection is at the Apache server level, it kicks in long before PHP or Joomla! or Admin Tools is loaded.

You can try to set up the password protection again. You can access it from the Admin Tools main page, Password protect Administrator.

Thank you for your explanations.
For some reason, the Back end got "more vigilant" on the next day. It asked me for the first user/password before displaying the Joomla connection.
I notice that as long as I don't quit the browser (Chrome) I may disconnect and reconnect myself without the directory .htaccess identification. But if I quit, or maybe the next day, I will have to identify twice.
It sounds acceptable and logical and… more suitable to work on the back end.

The Apache password is not required, everything will work very nicely without it. It is very good protection for your administrative area though. Some badly written extensions will not work with it. If you have one, you will get a password prompt on the front end.

 The Apache password is not required, everything will work very nicely without it

All right, if I remember well, it is the first setting that is proposed when we open the Quick Setup Wizard right after the installation of AdminTools. So… you can imagine that I gave it a lot of interest. ;)

 Some badly written extensions will not work with it. If you have one, you will get a password prompt on the front end

Really ? That's very disappointing.

Thank you.

I think it is important that you use at least one of the back end protection features. Whether it is the secret parameter or the /administrator folder password doesn't really matter. Either or both will put a barrier between hackers and your back end login screen.

I probably should not have shared that comment about the password protection not working with all extensions. It is not a widespread problem. Keep in mind that as part of my profession I am always thinking about what can go wrong.

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.